Bastille system hardening - your views.

With Bastille Day coming up soon (14th July), let's have some views on this
security app. It's hardly ever mentioned in the forum, whereas AppArmor and
SELinux are often referred to. Is there something not to like ?
(Maybe because the Bastille was stormed and destroyed by the commoners
who declared themselves the National Assembly and ultimately executed
the King and Queen by guilliotine ?) Bastille
I see it is available via Synaptic. Has an undo function in case one messes up.

Bastille Linux was renamed to Bastille Unix back in 9/11/2007. It is a hardening script that helps to harden about 8|9 different Linux distributions as referenced at the link given. That is all I know about it.

Bastille is just an automated script that performs basic hardening. All of these steps can be done manually without it. For instance, Bastille will check your /home permissions, it will check if you have a BIOS password, and it will check the number of SUID or GUID files one has on the system and allow the user to change permissions on those. It does much more than this, but you get the idea. I always just do these things myself, and I find most of them are not necessary (I don't want or need a BIOS password, for instance).

If you want a nice guide on hardening your system manually, then I suggest you read the Gentoo security guide. Just google, "Gentoo security" and it will be near the top. It will walk you through how to lock down permissions, how to harden /etc/sysctl and other stuff. All of these things will be distro agnostic.

But speaking of these hardening tools, I really like Fedora's "Sectool." If you have Fedora, then:

sudo yum install sectool sectool-gui

It has a nice GUI and performs about 20 or so tests on your system. You can define levels like "Desktop" or "Server" or "Paranoid." It will show all the potential "weaknesses" and show you how to correct them. It is a nice tool and I prefer it over Bastille.

But speaking of these hardening tools, I really like Fedora's "Sectool." If you have Fedora, then:

Click to expand...

Thanks. Yes Sectool does look good with a nicer GUI. Unfortunately I don't have
Fedora - only CentOS 5.3 (and Ubuntu). As Sectool seems less intimidating than
SELinux it would be nice if Sectool would work with CentOS 5.3 which is also
Red Hat based. Might give it a try.